UW–⁠Madison Information Technology
Connecting & supporting our digital campus
Email fish on hook.

Sexual harassment training phishing scam

Posted by Erik Geiger on April 16, 2020

This article was published on April 16, 2020 and has not been updated since. It remains published for archival purposes, but its subject matter may be out of date.

The Wisconsin Department of Justice’s Bureau of Computing Services Security warns of an ongoing phishing and social engineering campaign aimed at state and local government employees in Wisconsin.

The campaign begins with a phishing email encouraging recipients to complete a “Discrimination & Sexual Harassment Training” within 24 hours. The email contains a link to a malicious web page that prompts you for your username and password. If you enter your credentials into this web page, attackers take control of your email account and use it to send more phishing emails.  In the past two weeks several people at state agencies, courts and county governments have had their accounts compromised by this campaign.

This phishing email is well written and looks legitimate. To date, every email has had the same subject line, “Discrimination/Sexual Harassment Prevention Training.” If you receive an email with that subject line, do not click any of the links it contains and report it.

To report general phishing emails, go to www.antiphishing.org. To report phishing emails that appear to be from within the UW–Madison campus, go to Report an Incident or forward the email to abuse@wisc.edu. You can also submit offending email using the report spam feature within the web or desktop email client. Learn more about submitting spam or phishing messages.

The text of the email follows:

Good morning

Our records show that your Discrimination & Sexual Harassment Training will expire within the next 24hrs. In order to keep your training updated, you may register on our [links to malicious site] Training Calendar [end of link text] for a live training session or take the online training [second link, presumably also to a malicious site], please see policy for details on which session you must attend/take.

The Updated Anti-Harassment Policy requires:

  • Every non-supervisory employee must attend the County’s “Discrimination and Sexual Harassment Prevention Training for Employees” upon hire and every year thereafter during the course of their employment with the County. While non-supervisory employees have the option of completing the training online via the online training intranet, it is required that in-person trainings are completed at least every other training to ensure a thorough understanding.
  • Every supervisor must attend the County’s “Discrimination and Sexual Harassment Prevention Training for Supervisors” upon hire and every year thereafter during the course of their employment with the County. Supervisors have the option of completing the training online and must attend an in-person training each time the training is due.

Your attention to this matter is greatly appreciated. Have a great day.

Thank you,

Human Resources Training & Development

The email contains a link to a malicious but convincing looking Microsoft Office Outlook web client login page:

malicious website login resembling the Office 365 Outlook web client login page

Other higher education institutions such as the University of Michigan, the University of Arizona and the University of Oregon have also issued warnings of what appears to be the same campaign.

Related article: Learn how to recognize and report phishing.